Jan 06, 2026, 08:30 PM
# Offensive Dorks
Over 200 Shodan queries classified by category, with geographic details when relevant.
## C2 (Command & Control) Infrastructure
```
# Cobalt Strike
product:"cobalt strike team server"
product:"Cobalt Strike Beacon"
ssl.cert.serial:146473198
ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1
ssl:foren.zik
# Brute Ratel C4
http.html_hash:-1957161625
product:"Brute Ratel C4"
# Metasploit
ssl:"MetasploitSelfSignedCA"
# Covenant
ssl:"Covenant" http.component:"Blazor"
# Mythic
ssl:"Mythic"
ssl:Mythic port:7443
# Sliver C2
product:"Sliver C2"
# Various RATs
product:'Ares RAT C2'
product:'DarkComet Trojan'
product:'DarkTrack RAT Trojan'
product:'Orcus RAT Trojan'
product:'XtremeRAT Trojan'
ssl:"AsyncRAT Server"
ssl.cert.subject.cn:"Quasar Server CA"
http.title:"Meduza Stealer"
http.title:"Mystic Stealer"
"nimplant C2 server"
```
## Industrial Control Systems (ICS/SCADA)
### Specific Equipment
```
# Samsung digital signage
"Server: Prismview Player"
# Gas pump controllers (ATG)
# ~91% in the United States (5300+ out of 5800 detected according to Rapid7)
"in-tank inventory" port:10001
# License plate readers (ALPR)
# Mainly USA, UK, Australia
P372 "ANPR enabled"
html:"PIPS Technology ALPR Processors"
# Traffic light controllers
mikrotik streetlight
# Nordex wind turbines (German manufacturer)
http.title:"Nordex Control" "Windows 2000 5.0 x86"
title:"xzeres wind"
# Siemens PLCs (global, strong in Europe)
"Siemens, SIMATIC" port:161
# Siemens HVAC systems
"Server: Microsoft-WinCE" "Content-Length: 12581"
# DICOM medical equipment
"DICOM Server Response" port:104
# GaugeTech electric meters
"Server: EIG Embedded Web Server" "200 Document follows"
# HID access controllers (US manufacturer)
"HID VertX" port:4070
# Tesla PowerPack (USA, Australia)
http.title:"Tesla PowerPack System" http.component:"d3"
# Electric vehicle chargers
"Server: gSOAP/2.8" "Content-Length: 583"
# Maritime satellites
"Cobham SATCOM" OR ("Sailor" "VSAT")
# Research submarines (USA)
title:"Slocum Fleet Mission Control"
# CAREL industrial refrigeration (Italy)
"Server: CarelDataServer" "200 Document follows"
# NCR ATMs (US manufacturer)
NCR Port:"161"
# Prison phones (USA only)
"[2J[H Encartele Confidential"
# Cisco lawful intercept (USA)
"Cisco IOS" "ADVIPSERVICESK9_LI-M"
```
### Industrial Protocols
```
port:502 # Modbus
port:1911,4911 product:Niagara # Niagara Fox (Tridium, USA)
port:47808 # BACnet
port:102 # S7 (Siemens, Germany)
port:44818 # EtherNet/IP
port:20000 source address # DNP3
port:2404 asdu address # IEC 60870-5-104
```
## Remote Access
```
# VNC without authentication
"authentication disabled" "RFB 003.008"
"authentication disabled" port:5900,5901
# Windows Remote Desktop (RDP)
"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"
# RDP infected by ransomware
"attention" "encrypted" port:3389
# Telnet with open root session
"root@" port:23 -login -password -name -Session
port:23 console gateway
# Exposed Android Debug Bridge
"Android Debug Bridge" "Device" port:5555
# Citrix
"Citrix Applications:" port:1604
title:"citrix gateway"
html:"/citrix/xenapp"
# Polycom video conferencing
http.title:"- Polycom" "Server: lighttpd"
"Polycom Command Shell" -failed port:23
# noVNC
http.title:"noVNC"
# Lantronix serial-to-ethernet adapters
Lantronix password port:30718 -secured
"Press Enter for Setup Mode port:9999"
```
## Exposed Databases
```
# MongoDB
"MongoDB Server Information" port:27017 -authentication
"Set-Cookie: mongo-express=" "200 OK"
http.title:"mongo express"
# Elasticsearch
port:9200 json
port:"9200" all:"elastic indices"
http.title:"kibana"
# Redis
product:"Redis"
html:"redis.conf"
# MySQL
product:MySQL
mysql port:"3306"
# PostgreSQL
port:5432 product:"PostgreSQL"
# CouchDB
product:"CouchDB"
port:"5984"+Server: "CouchDB/2.1.0"
# Cassandra
product:"Cassandra"
cpe:"cpe:2.3:a:apache:cassandra"
# Memcached
product:"Memcached"
# Riak
port:8087 Riak
# ClickHouse
"X-ClickHouse-Summary"
# InfluxDB
"X-Influxdb-"
```
## DevOps and Cloud Infrastructure
```
# Jenkins
"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
x-jenkins 200
# Docker
"Docker Containers:" port:2375
"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab
port:2375 product:"docker"
# Kubernetes
title:"Weave Scope" http.favicon.hash:567176827
product:"kubernetes"
ssl:"Kubernetes Ingress Controller Fake Certificate"
http.title:"Kubernetes Operational View"
http.title:"Hubble UI"
title:kubecost
title:Kube-state-metrics
# GitLab
http.title:"GitLab"
product:"GitLab Self-Managed"
html:"GitLab Enterprise Edition"
# Gitea
http.title:"Gitea"
html:"Powered by Gitea"
# Grafana
http.title:"Grafana"
# Prometheus/Alertmanager
http.title:"Alertmanager"
http.title:"Prometheus"
# Argo CD
http.title:"Argo CD"
html:"Argo CD"
# Airflow
http.title:"Sign In - Airflow"
html:"Apache Airflow"
# Harbor Registry
http.title:"Harbor"
# Rancher
http.title:"Rancher"
# Portainer
http.title:"Portainer"
# Traefik
http.title:"traefik"
# Consul/Vault
http.title:"Consul"
http.title:"Vault"
# Exposed AWS
html:"Amazon EC2 Status"
html:"AWS EC2 Auto Scaling Lab"
title:"Amazon ECS Sample App"
X-Amz-Server-Side-Encryption
html:"blob.core.windows.net"
# Azure
title:"Microsoft Azure App Service - Welcome"
html:"Your Azure Function App is up and running"
title:"Welcome to Azure Container Instances!"
```
## File Shares and NAS
```
# SMB without authentication
"Authentication: disabled" port:445
"Authentication: disabled" NETLOGON SYSVOL -unix port:445
# Anonymous FTP
"220" "230 Login successful." port:21
product:"vsftpd"
product:"ProFTPD"
# NAS
"Set-Cookie: iomega=" -"manage/login.html"
Redirecting sencha port:9000
ssl.cert.issuer.cn:"QNAP NAS"
# Shared sensitive files
"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" port:445
"IPC$ all storage devices"
# File servers
product:"HttpFileServer httpd"
http.title:"HFS /"
```
## Webcams and Video Surveillance
### By Manufacturer
| Manufacturer | Country of Origin | Dork |
|--------------|-------------------|------|
| Hikvision | China | `product:"Hikvision IP Camera"` |
| Dahua | China | `product:"Dahua"` |
| Reolink | China | `http.title:"Reolink"` |
| GeoVision | Taiwan | `server: GeoHttpServer` |
| Vivotek | Taiwan | `server: VVTK-HTTP-Server` |
| D-Link | Taiwan | `"d-Link Internet Camera, 200 OK"` |
| Avigilon | Canada | `title:"Avigilon"` |
| Mobotix | Germany | `title:"Mobotix"` |
| TRASSIR | Russia | `title:"Trassir Webview"` |
| Blue Iris | USA (software) | `http.title:"Blue Iris Login"` |
| Samsung | South Korea | `title:"web viewer for samsung dvr"` |
> **Security Note**: Hikvision has a known backdoor (CVE-2021-36260)
### Generic Queries
```
title:camera
webcam has_screenshot:true
title:"IPCam Client"
title:"ContaCam"
200 ok dvr port:"81"
Netwave IP Camera Content-Length: 2574
"Server: yawcam" "Mime-Type: text/html"
("webcam 7" OR "webcamXP") http.component:"mootools"
"Server: IP Webcam Server" "200 OK"
html:"DVR_H264 ActiveX"
"Hipcam RealServer/V1.0"
http.title:"NETSurveillance WEB"
http.title:"CompleteView Web Client"
```
## Network Equipment and Routers
### By Manufacturer
| Manufacturer | Country | Dorks |
|--------------|---------|-------|
| Cisco | USA | `"smart install client active"`, `http.title:"Cisco Systems Login"` |
| MikroTik | Latvia | `http.title:"RouterOS router configuration page"`, `product:"MikroTik RouterOS API Service"` |
| Fortinet | USA | `ssl:"ou=fortigate"`, `http.title:"FORTINET LOGIN"` |
| Palo Alto | USA | `http.title:"Palo Alto"` |
| SonicWall | USA | `http.title:"SonicWall Network Security"` |
| Juniper | USA | `http.title:"Juniper Web Device Manager"` |
| Ubiquiti | USA | `http.title:"UniFi Network"`, `http.title:"AirCube Dashboard"` |
| Huawei | China | `http.title:"HUAWEI"`, `html:"HUAWEI Home Gateway HG658d"` |
| ZTE | China | `html:"ZTE Corporation"` |
| TP-Link | China | `html:"WN530HG4"`, `html:"WN531G3"` |
| D-Link | Taiwan | `"DIR-845L"` |
| ASUS | Taiwan | `title:"AiCloud"`, `"RT-N16"` |
| Tenda | China | `http.title:"Tenda 11N Wireless Router Login Screen"` |
### Specific Queries
```
# Compromised routers
HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD
hacked-router-help-sos
# pfSense/OPNsense (open source)
http.title:"pfsense - login"
http.title:"opnsense"
# Intel AMT (CVE-2017-5689)
"Intel® Active Management Technology" port:623,664,16992,16993,16994,16995
# HP iLO
HP-ILO-4 !"HP-ILO-4/2.53" port:1900
# IPMI/BMC
http.title:"Supermicro BMC Login"
# Linksys
http.title:"Linksys Smart WI-FI"
# HP/Aruba
http.title:"HP Virtual Connect Manager"
```
## Vulnerable Web Applications
```
# WordPress
http.html:"* The wp-config.php creation script uses this file"
http.html:/wp-content/plugins/jestream-fusion/
http.component:"WordPress"
# Magento
http.component:"magento"
http.title:"Magento Installation"
# Drupal
http.component:"drupal"
# Joomla
http.component:"Joomla"
http.title:"Joomla Web Installer"
# Laravel
Laravel-Framework
html:"Laragon" html:"phpinfo"
# Django
http.title:"The install worked successfully! Congratulations!"
cpe:"cpe:2.3:a:djangoproject:django"
# Symfony
html:"symfony Profiler"
http.title:"Welcome to Symfony"
# phpMyAdmin
http.title:phpMyAdmin
html:"phpMyAdmin"
# Adminer
http.title:adminer
# Directory listing
http.title:"Index of /" http.html:".pem"
http.title:"Index of /" http.html:"phpinfo.php"
# Revealing error pages
http.title:"Struts Problem Report"
html:"Whitelabel Error Page"
html:"Twig Runtime Error"
http.title:"PHP warning" || "Fatal error"
html:"yii\base\ErrorException"
http.title:"Runtime Error"
http.title:"Database Error"
# Exposed configuration files
html:"wp-config.php"
html:"config.php"
html:".env"
html:"parameters.yml"
html:"settings.py"
html:"application.properties"
```
## Email Servers
```
# Exchange OWA
"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"
"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"
# Zimbra
http.title:"Zimbra"
# Roundcube
http.component:"RoundCube"
# Horde
http.title:"Horde"
# SOGo
http.title:"SOGo"
# Axigen
product:"Axigen"
http.title:"Axigen WebMail"
# SMTP servers
ESMTP
product:"Exim smtpd"
```
## VPN and Secure Access
```
# OpenVPN
cpe:"cpe:2.3:a:openvpn:openvpn_access_server"
http.title:"openvpn connect"
http.title:"OVPN Config Download"
http.title:"TurnKey OpenVPN"
# Pulse Secure
cpe:"cpe:2.3:a:pulsesecure:pulse_connect_secure"
http.html:/dana-na
# Fortinet VPN
http.title:"FortiPortal"
ssl:"ou=fortiauthenticator"
# Cisco AnyConnect
http.title:"Cisco Secure CN"
# WireGuard
http.title:"WireGuard"
# SoftEther
http.title:"SoftEther VPN Server"
```
## Exposed Security Tools
```
# Nessus
http.title:"Nessus"
# Burp Collaborator
"Server: Burp Collaborator"
# OWASP ZAP
http.title:"OWASP ZAP"
# Nuclei/Interactsh
html:"Interactsh Server"
# Gophish (phishing)
http.title:"Gophish - Login"
# DefectDojo
html:"DefectDojo Logo"
# Faraday
html:"faradayApp"
# reNgine
title:"reNgine"
# OpenCTI
html:"OpenCTI"
```
## Compromised Systems and Ransomware
```
# Hacked routers
HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD
# Infected RDP services
"attention" "encrypted" port:3389
# Compromised FTP
HACKED FTP server
# Defaced sites
http.title:"Hacked By"
http.title:"0wn3d by"
# Ransomware with screenshot
bitcoin has_screenshot:true
has_screenshot:true encrypted attention
```
## IoT and Home Devices
```
# Chromecast/Smart TV
"Chromecast:" port:8008
# Apple AirPlay
"\x08_airplay" port:5353
# Yamaha
"Server: AV_Receiver" "HTTP/1.1 406"
# Crestron home automation
"Model: PYNG-HUB"
# Thermostats
http.title:"Heatmiser Wifi Thermostat"
# Smart bulbs
http.title:"Hue Personal"
# 3D printers
title:"OctoPrint" -title:"Login"
# Crypto miners
"ETH - Total speed"
antminer
```
## Printers
```
# HP
"Serial Number:" "Built:" "Server: HP HTTP"
http.title:"HP Color LaserJet"
# Xerox
ssl:"Xerox Generic Root"
http.title:"XEROX WORKCENTRE"
# Epson
"SERVER: EPSON_Linux UPnP" "200 OK"
# Canon
"Server: KS_HTTP" "200 OK"
"Server: CANON HTTP Server"
# Ricoh
html:"Web Image Monitor"
# Konica Minolta
http.title:"Konica Minolta"
```
## Favicon Hash
```
http.favicon.hash:945408572 # Fortinet
http.favicon.hash:1057565779 # Citrix
http.favicon.hash:1099370896 # Grafana
http.favicon.hash:-338095061 # Kibana
http.favicon.hash:-388646567 # Jenkins
http.favicon.hash:-1505567026 # GitLab
http.favicon.hash:116323821 # Spring Boot
```
## CVE Vulnerabilities (vuln: filter)
> Requires Small Business plan minimum
```
vuln:CVE-2014-0160 # Heartbleed
vuln:CVE-2021-44228 # Log4Shell
vuln:CVE-2021-26855 # ProxyLogon (Exchange)
vuln:CVE-2019-19781 # Citrix ADC
vuln:CVE-2017-0144 # EternalBlue
vuln:CVE-2021-34473 # ProxyShell
vuln:CVE-2022-22954 # VMware Workspace ONE
vuln:CVE-2023-22515 # Confluence
vuln:CVE-2024-27348 # Apache HugeGraph
```
## Country-Specific Products
### China
```
# Chinese CMS and applications
html:"通达OA" # Tongda OA
html:"DedeCms" # Popular CMS
title:"dedecms"
html:"帝国CMS" # Empire CMS
html:"PbootCMS"
html:"ThinkPHP" # PHP Framework
title:"ThinkPHP"
html:"YzmCMS"
html:"Z-BlogPHP"
html:"Wuzhicms"
html:"74cms" # Job portal
html:"zzcms"
html:"ZzzCMS"
# Routers
http.title:"小米路由器" # Xiaomi
# Specific systems
html:"高清智能录播系统" # Recording system
http.title:"TamronOS IPTV系统"
title:"孚盟云"
title:"ShopXO企业级B2C电商系统"
http.title:"WIFISKY-7层流控路由器"
# Security
html:"H3C-SecPath-运维审计系统" # H3C
```
### Russia
```
html:"Bitrix" # Very popular CMS
http.html:"/bitrix/"
title:"контроллер" # Controller
title:"Trassir Webview" # Video surveillance
```
### France
```
http.title:"HYPERPLANNING" # School software
http.title:"PRONOTE" # School software
html:"engage - Portail soignant" # Healthcare
```
### South Korea
```
html:"Gnuboard"
html:"gnuboard5"
```
## Geographic Queries
### Basic Filters
```
country:US # United States
country:GB # United Kingdom
country
E # Germany
country:FR # France
country:CN # China
country:RU # Russia
country:JP # Japan
country:IN # India
country:BR # Brazil
city:"Paris"
city:"New York"
region:"California"
region:"Texas"
```
### By ASN
```
asn:AS15169 # Google
asn:AS8075 # Microsoft
asn:AS16509 # Amazon AWS
asn:AS13335 # Cloudflare
```
### Special Case: North Korea
```
# Entire country (~1024 IPs)
net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24
```
### Useful Combinations
```
# US company infrastructure
org:"Target Company" country:US port:443
# Exposed MongoDB in Germany
product:MongoDB countryE -authentication
# Jenkins in China
"X-Jenkins" country:CN
# Webcams in the USA
webcam country:US has_screenshot:true
# MikroTik routers in Russia
product:"MikroTik" country:RU
# Vulnerable Apache servers in Europe
product:apache vuln:CVE-2021-41773 country:FR,DE,GB,IT,ES
# Vulnerable Citrix in DACH region
vuln:CVE-2019-19781 countryE,CH,AT
```
---
Over 200 Shodan queries classified by category, with geographic details when relevant.
## C2 (Command & Control) Infrastructure
```
# Cobalt Strike
product:"cobalt strike team server"
product:"Cobalt Strike Beacon"
ssl.cert.serial:146473198
ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1
ssl:foren.zik
# Brute Ratel C4
http.html_hash:-1957161625
product:"Brute Ratel C4"
# Metasploit
ssl:"MetasploitSelfSignedCA"
# Covenant
ssl:"Covenant" http.component:"Blazor"
# Mythic
ssl:"Mythic"
ssl:Mythic port:7443
# Sliver C2
product:"Sliver C2"
# Various RATs
product:'Ares RAT C2'
product:'DarkComet Trojan'
product:'DarkTrack RAT Trojan'
product:'Orcus RAT Trojan'
product:'XtremeRAT Trojan'
ssl:"AsyncRAT Server"
ssl.cert.subject.cn:"Quasar Server CA"
http.title:"Meduza Stealer"
http.title:"Mystic Stealer"
"nimplant C2 server"
```
## Industrial Control Systems (ICS/SCADA)
### Specific Equipment
```
# Samsung digital signage
"Server: Prismview Player"
# Gas pump controllers (ATG)
# ~91% in the United States (5300+ out of 5800 detected according to Rapid7)
"in-tank inventory" port:10001
# License plate readers (ALPR)
# Mainly USA, UK, Australia
P372 "ANPR enabled"
html:"PIPS Technology ALPR Processors"
# Traffic light controllers
mikrotik streetlight
# Nordex wind turbines (German manufacturer)
http.title:"Nordex Control" "Windows 2000 5.0 x86"
title:"xzeres wind"
# Siemens PLCs (global, strong in Europe)
"Siemens, SIMATIC" port:161
# Siemens HVAC systems
"Server: Microsoft-WinCE" "Content-Length: 12581"
# DICOM medical equipment
"DICOM Server Response" port:104
# GaugeTech electric meters
"Server: EIG Embedded Web Server" "200 Document follows"
# HID access controllers (US manufacturer)
"HID VertX" port:4070
# Tesla PowerPack (USA, Australia)
http.title:"Tesla PowerPack System" http.component:"d3"
# Electric vehicle chargers
"Server: gSOAP/2.8" "Content-Length: 583"
# Maritime satellites
"Cobham SATCOM" OR ("Sailor" "VSAT")
# Research submarines (USA)
title:"Slocum Fleet Mission Control"
# CAREL industrial refrigeration (Italy)
"Server: CarelDataServer" "200 Document follows"
# NCR ATMs (US manufacturer)
NCR Port:"161"
# Prison phones (USA only)
"[2J[H Encartele Confidential"
# Cisco lawful intercept (USA)
"Cisco IOS" "ADVIPSERVICESK9_LI-M"
```
### Industrial Protocols
```
port:502 # Modbus
port:1911,4911 product:Niagara # Niagara Fox (Tridium, USA)
port:47808 # BACnet
port:102 # S7 (Siemens, Germany)
port:44818 # EtherNet/IP
port:20000 source address # DNP3
port:2404 asdu address # IEC 60870-5-104
```
## Remote Access
```
# VNC without authentication
"authentication disabled" "RFB 003.008"
"authentication disabled" port:5900,5901
# Windows Remote Desktop (RDP)
"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"
# RDP infected by ransomware
"attention" "encrypted" port:3389
# Telnet with open root session
"root@" port:23 -login -password -name -Session
port:23 console gateway
# Exposed Android Debug Bridge
"Android Debug Bridge" "Device" port:5555
# Citrix
"Citrix Applications:" port:1604
title:"citrix gateway"
html:"/citrix/xenapp"
# Polycom video conferencing
http.title:"- Polycom" "Server: lighttpd"
"Polycom Command Shell" -failed port:23
# noVNC
http.title:"noVNC"
# Lantronix serial-to-ethernet adapters
Lantronix password port:30718 -secured
"Press Enter for Setup Mode port:9999"
```
## Exposed Databases
```
# MongoDB
"MongoDB Server Information" port:27017 -authentication
"Set-Cookie: mongo-express=" "200 OK"
http.title:"mongo express"
# Elasticsearch
port:9200 json
port:"9200" all:"elastic indices"
http.title:"kibana"
# Redis
product:"Redis"
html:"redis.conf"
# MySQL
product:MySQL
mysql port:"3306"
# PostgreSQL
port:5432 product:"PostgreSQL"
# CouchDB
product:"CouchDB"
port:"5984"+Server: "CouchDB/2.1.0"
# Cassandra
product:"Cassandra"
cpe:"cpe:2.3:a:apache:cassandra"
# Memcached
product:"Memcached"
# Riak
port:8087 Riak
# ClickHouse
"X-ClickHouse-Summary"
# InfluxDB
"X-Influxdb-"
```
## DevOps and Cloud Infrastructure
```
# Jenkins
"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
x-jenkins 200
# Docker
"Docker Containers:" port:2375
"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab
port:2375 product:"docker"
# Kubernetes
title:"Weave Scope" http.favicon.hash:567176827
product:"kubernetes"
ssl:"Kubernetes Ingress Controller Fake Certificate"
http.title:"Kubernetes Operational View"
http.title:"Hubble UI"
title:kubecost
title:Kube-state-metrics
# GitLab
http.title:"GitLab"
product:"GitLab Self-Managed"
html:"GitLab Enterprise Edition"
# Gitea
http.title:"Gitea"
html:"Powered by Gitea"
# Grafana
http.title:"Grafana"
# Prometheus/Alertmanager
http.title:"Alertmanager"
http.title:"Prometheus"
# Argo CD
http.title:"Argo CD"
html:"Argo CD"
# Airflow
http.title:"Sign In - Airflow"
html:"Apache Airflow"
# Harbor Registry
http.title:"Harbor"
# Rancher
http.title:"Rancher"
# Portainer
http.title:"Portainer"
# Traefik
http.title:"traefik"
# Consul/Vault
http.title:"Consul"
http.title:"Vault"
# Exposed AWS
html:"Amazon EC2 Status"
html:"AWS EC2 Auto Scaling Lab"
title:"Amazon ECS Sample App"
X-Amz-Server-Side-Encryption
html:"blob.core.windows.net"
# Azure
title:"Microsoft Azure App Service - Welcome"
html:"Your Azure Function App is up and running"
title:"Welcome to Azure Container Instances!"
```
## File Shares and NAS
```
# SMB without authentication
"Authentication: disabled" port:445
"Authentication: disabled" NETLOGON SYSVOL -unix port:445
# Anonymous FTP
"220" "230 Login successful." port:21
product:"vsftpd"
product:"ProFTPD"
# NAS
"Set-Cookie: iomega=" -"manage/login.html"
Redirecting sencha port:9000
ssl.cert.issuer.cn:"QNAP NAS"
# Shared sensitive files
"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" port:445
"IPC$ all storage devices"
# File servers
product:"HttpFileServer httpd"
http.title:"HFS /"
```
## Webcams and Video Surveillance
### By Manufacturer
| Manufacturer | Country of Origin | Dork |
|--------------|-------------------|------|
| Hikvision | China | `product:"Hikvision IP Camera"` |
| Dahua | China | `product:"Dahua"` |
| Reolink | China | `http.title:"Reolink"` |
| GeoVision | Taiwan | `server: GeoHttpServer` |
| Vivotek | Taiwan | `server: VVTK-HTTP-Server` |
| D-Link | Taiwan | `"d-Link Internet Camera, 200 OK"` |
| Avigilon | Canada | `title:"Avigilon"` |
| Mobotix | Germany | `title:"Mobotix"` |
| TRASSIR | Russia | `title:"Trassir Webview"` |
| Blue Iris | USA (software) | `http.title:"Blue Iris Login"` |
| Samsung | South Korea | `title:"web viewer for samsung dvr"` |
> **Security Note**: Hikvision has a known backdoor (CVE-2021-36260)
### Generic Queries
```
title:camera
webcam has_screenshot:true
title:"IPCam Client"
title:"ContaCam"
200 ok dvr port:"81"
Netwave IP Camera Content-Length: 2574
"Server: yawcam" "Mime-Type: text/html"
("webcam 7" OR "webcamXP") http.component:"mootools"
"Server: IP Webcam Server" "200 OK"
html:"DVR_H264 ActiveX"
"Hipcam RealServer/V1.0"
http.title:"NETSurveillance WEB"
http.title:"CompleteView Web Client"
```
## Network Equipment and Routers
### By Manufacturer
| Manufacturer | Country | Dorks |
|--------------|---------|-------|
| Cisco | USA | `"smart install client active"`, `http.title:"Cisco Systems Login"` |
| MikroTik | Latvia | `http.title:"RouterOS router configuration page"`, `product:"MikroTik RouterOS API Service"` |
| Fortinet | USA | `ssl:"ou=fortigate"`, `http.title:"FORTINET LOGIN"` |
| Palo Alto | USA | `http.title:"Palo Alto"` |
| SonicWall | USA | `http.title:"SonicWall Network Security"` |
| Juniper | USA | `http.title:"Juniper Web Device Manager"` |
| Ubiquiti | USA | `http.title:"UniFi Network"`, `http.title:"AirCube Dashboard"` |
| Huawei | China | `http.title:"HUAWEI"`, `html:"HUAWEI Home Gateway HG658d"` |
| ZTE | China | `html:"ZTE Corporation"` |
| TP-Link | China | `html:"WN530HG4"`, `html:"WN531G3"` |
| D-Link | Taiwan | `"DIR-845L"` |
| ASUS | Taiwan | `title:"AiCloud"`, `"RT-N16"` |
| Tenda | China | `http.title:"Tenda 11N Wireless Router Login Screen"` |
### Specific Queries
```
# Compromised routers
HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD
hacked-router-help-sos
# pfSense/OPNsense (open source)
http.title:"pfsense - login"
http.title:"opnsense"
# Intel AMT (CVE-2017-5689)
"Intel® Active Management Technology" port:623,664,16992,16993,16994,16995
# HP iLO
HP-ILO-4 !"HP-ILO-4/2.53" port:1900
# IPMI/BMC
http.title:"Supermicro BMC Login"
# Linksys
http.title:"Linksys Smart WI-FI"
# HP/Aruba
http.title:"HP Virtual Connect Manager"
```
## Vulnerable Web Applications
```
# WordPress
http.html:"* The wp-config.php creation script uses this file"
http.html:/wp-content/plugins/jestream-fusion/
http.component:"WordPress"
# Magento
http.component:"magento"
http.title:"Magento Installation"
# Drupal
http.component:"drupal"
# Joomla
http.component:"Joomla"
http.title:"Joomla Web Installer"
# Laravel
Laravel-Framework
html:"Laragon" html:"phpinfo"
# Django
http.title:"The install worked successfully! Congratulations!"
cpe:"cpe:2.3:a:djangoproject:django"
# Symfony
html:"symfony Profiler"
http.title:"Welcome to Symfony"
# phpMyAdmin
http.title:phpMyAdmin
html:"phpMyAdmin"
# Adminer
http.title:adminer
# Directory listing
http.title:"Index of /" http.html:".pem"
http.title:"Index of /" http.html:"phpinfo.php"
# Revealing error pages
http.title:"Struts Problem Report"
html:"Whitelabel Error Page"
html:"Twig Runtime Error"
http.title:"PHP warning" || "Fatal error"
html:"yii\base\ErrorException"
http.title:"Runtime Error"
http.title:"Database Error"
# Exposed configuration files
html:"wp-config.php"
html:"config.php"
html:".env"
html:"parameters.yml"
html:"settings.py"
html:"application.properties"
```
## Email Servers
```
# Exchange OWA
"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"
"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"
# Zimbra
http.title:"Zimbra"
# Roundcube
http.component:"RoundCube"
# Horde
http.title:"Horde"
# SOGo
http.title:"SOGo"
# Axigen
product:"Axigen"
http.title:"Axigen WebMail"
# SMTP servers
ESMTP
product:"Exim smtpd"
```
## VPN and Secure Access
```
# OpenVPN
cpe:"cpe:2.3:a:openvpn:openvpn_access_server"
http.title:"openvpn connect"
http.title:"OVPN Config Download"
http.title:"TurnKey OpenVPN"
# Pulse Secure
cpe:"cpe:2.3:a:pulsesecure:pulse_connect_secure"
http.html:/dana-na
# Fortinet VPN
http.title:"FortiPortal"
ssl:"ou=fortiauthenticator"
# Cisco AnyConnect
http.title:"Cisco Secure CN"
# WireGuard
http.title:"WireGuard"
# SoftEther
http.title:"SoftEther VPN Server"
```
## Exposed Security Tools
```
# Nessus
http.title:"Nessus"
# Burp Collaborator
"Server: Burp Collaborator"
# OWASP ZAP
http.title:"OWASP ZAP"
# Nuclei/Interactsh
html:"Interactsh Server"
# Gophish (phishing)
http.title:"Gophish - Login"
# DefectDojo
html:"DefectDojo Logo"
# Faraday
html:"faradayApp"
# reNgine
title:"reNgine"
# OpenCTI
html:"OpenCTI"
```
## Compromised Systems and Ransomware
```
# Hacked routers
HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD
# Infected RDP services
"attention" "encrypted" port:3389
# Compromised FTP
HACKED FTP server
# Defaced sites
http.title:"Hacked By"
http.title:"0wn3d by"
# Ransomware with screenshot
bitcoin has_screenshot:true
has_screenshot:true encrypted attention
```
## IoT and Home Devices
```
# Chromecast/Smart TV
"Chromecast:" port:8008
# Apple AirPlay
"\x08_airplay" port:5353
# Yamaha
"Server: AV_Receiver" "HTTP/1.1 406"
# Crestron home automation
"Model: PYNG-HUB"
# Thermostats
http.title:"Heatmiser Wifi Thermostat"
# Smart bulbs
http.title:"Hue Personal"
# 3D printers
title:"OctoPrint" -title:"Login"
# Crypto miners
"ETH - Total speed"
antminer
```
## Printers
```
# HP
"Serial Number:" "Built:" "Server: HP HTTP"
http.title:"HP Color LaserJet"
# Xerox
ssl:"Xerox Generic Root"
http.title:"XEROX WORKCENTRE"
# Epson
"SERVER: EPSON_Linux UPnP" "200 OK"
# Canon
"Server: KS_HTTP" "200 OK"
"Server: CANON HTTP Server"
# Ricoh
html:"Web Image Monitor"
# Konica Minolta
http.title:"Konica Minolta"
```
## Favicon Hash
```
http.favicon.hash:945408572 # Fortinet
http.favicon.hash:1057565779 # Citrix
http.favicon.hash:1099370896 # Grafana
http.favicon.hash:-338095061 # Kibana
http.favicon.hash:-388646567 # Jenkins
http.favicon.hash:-1505567026 # GitLab
http.favicon.hash:116323821 # Spring Boot
```
## CVE Vulnerabilities (vuln: filter)
> Requires Small Business plan minimum
```
vuln:CVE-2014-0160 # Heartbleed
vuln:CVE-2021-44228 # Log4Shell
vuln:CVE-2021-26855 # ProxyLogon (Exchange)
vuln:CVE-2019-19781 # Citrix ADC
vuln:CVE-2017-0144 # EternalBlue
vuln:CVE-2021-34473 # ProxyShell
vuln:CVE-2022-22954 # VMware Workspace ONE
vuln:CVE-2023-22515 # Confluence
vuln:CVE-2024-27348 # Apache HugeGraph
```
## Country-Specific Products
### China
```
# Chinese CMS and applications
html:"通达OA" # Tongda OA
html:"DedeCms" # Popular CMS
title:"dedecms"
html:"帝国CMS" # Empire CMS
html:"PbootCMS"
html:"ThinkPHP" # PHP Framework
title:"ThinkPHP"
html:"YzmCMS"
html:"Z-BlogPHP"
html:"Wuzhicms"
html:"74cms" # Job portal
html:"zzcms"
html:"ZzzCMS"
# Routers
http.title:"小米路由器" # Xiaomi
# Specific systems
html:"高清智能录播系统" # Recording system
http.title:"TamronOS IPTV系统"
title:"孚盟云"
title:"ShopXO企业级B2C电商系统"
http.title:"WIFISKY-7层流控路由器"
# Security
html:"H3C-SecPath-运维审计系统" # H3C
```
### Russia
```
html:"Bitrix" # Very popular CMS
http.html:"/bitrix/"
title:"контроллер" # Controller
title:"Trassir Webview" # Video surveillance
```
### France
```
http.title:"HYPERPLANNING" # School software
http.title:"PRONOTE" # School software
html:"engage - Portail soignant" # Healthcare
```
### South Korea
```
html:"Gnuboard"
html:"gnuboard5"
```
## Geographic Queries
### Basic Filters
```
country:US # United States
country:GB # United Kingdom
country
E # Germanycountry:FR # France
country:CN # China
country:RU # Russia
country:JP # Japan
country:IN # India
country:BR # Brazil
city:"Paris"
city:"New York"
region:"California"
region:"Texas"
```
### By ASN
```
asn:AS15169 # Google
asn:AS8075 # Microsoft
asn:AS16509 # Amazon AWS
asn:AS13335 # Cloudflare
```
### Special Case: North Korea
```
# Entire country (~1024 IPs)
net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24
```
### Useful Combinations
```
# US company infrastructure
org:"Target Company" country:US port:443
# Exposed MongoDB in Germany
product:MongoDB country
E -authentication# Jenkins in China
"X-Jenkins" country:CN
# Webcams in the USA
webcam country:US has_screenshot:true
# MikroTik routers in Russia
product:"MikroTik" country:RU
# Vulnerable Apache servers in Europe
product:apache vuln:CVE-2021-41773 country:FR,DE,GB,IT,ES
# Vulnerable Citrix in DACH region
vuln:CVE-2019-19781 country
E,CH,AT```
---
This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.
Ban Reason: Contact Administration.